Foreign Office and UK Government: Russian hackers infiltrate UK government emails in cyberattack targeting Foreign Office officials

Foreign Office and UK Government: Russian hackers infiltrate UK government emails in cyberattack targeting Foreign Office officials

APT28 Exploits DNS Hijacking to Breach UK Government Email Accounts

Russia’s state-backed hacking group APT28 (Fancy Bear), linked to the GRU’s Military Unit 26165, has compromised email accounts belonging to UK government and Foreign Office officials using DNS hijacking, marking a significant escalation in cyber espionage targeting Western democracies.

The attack, first flagged by the UK’s National Cyber Security Centre (NCSC) on April 7, 2026, exploited vulnerable internet routers to reroute traffic through malicious servers, silently harvesting login credentials, access tokens, and authentication details for email and web services. Unlike traditional phishing, this method intercepts legitimate traffic without requiring user interaction, making detection harder.

APT28’s campaign followed a two-phase approach: an initial opportunistic scan compromising over 18,000 networks, followed by a precision strike on high-value targets, including senior policymakers and diplomats. The NCSC attributed the attacks with high confidence to the GRU, noting the group’s long-standing focus on intelligence gathering rather than financial theft.

This tactic represents a tactical evolution from earlier spear-phishing campaigns (documented since 2018), shifting from social engineering to infrastructure-level compromise. While the NCSC emphasized that the primary goal remains espionage, the same vulnerabilities exploited in this attack unpatched edge devices and weak access controls pose risks across sectors, including crypto infrastructure.

The NCSC’s recommended mitigations firmware updates, strict access controls, and multi-factor authentication highlight persistent gaps between security best practices and real-world implementation.

Source: https://cryptobriefing.com/russian-hackers-uk-government-emails-cyberattack/

Foreign Office TPRM report: https://www.rankiteo.com/company/foreign-and-commonwealth-office

UK Government TPRM report: https://www.rankiteo.com/company/government-digital-service

"id": "forgov1783297461",
"linkid": "foreign-and-commonwealth-office, government-digital-service",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Senior policymakers and '
                                              'diplomats',
                        'industry': 'Public Sector',
                        'location': 'United Kingdom',
                        'name': 'UK Government',
                        'type': 'Government'},
                       {'customers_affected': 'Senior policymakers and '
                                              'diplomats',
                        'industry': 'Public Sector',
                        'location': 'United Kingdom',
                        'name': 'Foreign Office',
                        'type': 'Government'}],
 'attack_vector': 'DNS Hijacking',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Login credentials',
                                              'Access tokens',
                                              'Authentication details']},
 'date_detected': '2026-04-07',
 'date_publicly_disclosed': '2026-04-07',
 'description': 'Russia’s state-backed hacking group APT28 (Fancy Bear), '
                'linked to the GRU’s Military Unit 26165, has compromised '
                'email accounts belonging to UK government and Foreign Office '
                'officials using DNS hijacking, marking a significant '
                'escalation in cyber espionage targeting Western democracies.',
 'impact': {'data_compromised': ['Login credentials',
                                 'Access tokens',
                                 'Authentication details'],
            'systems_affected': ['Email accounts', 'Web services']},
 'initial_access_broker': {'entry_point': 'Vulnerable internet routers',
                           'high_value_targets': ['Senior policymakers',
                                                  'Diplomats']},
 'lessons_learned': 'The attack highlights persistent gaps between security '
                    'best practices and real-world implementation, '
                    'particularly in patching edge devices and enforcing '
                    'strict access controls.',
 'motivation': 'Intelligence gathering',
 'post_incident_analysis': {'corrective_actions': ['Firmware updates',
                                                   'Strict access controls',
                                                   'Multi-factor '
                                                   'authentication'],
                            'root_causes': ['Unpatched edge devices',
                                            'Weak access controls']},
 'recommendations': ['Firmware updates',
                     'Strict access controls',
                     'Multi-factor authentication'],
 'references': [{'source': 'UK’s National Cyber Security Centre (NCSC)'}],
 'response': {'remediation_measures': ['Firmware updates',
                                       'Strict access controls',
                                       'Multi-factor authentication']},
 'threat_actor': 'APT28 (Fancy Bear)',
 'title': 'APT28 Exploits DNS Hijacking to Breach UK Government Email Accounts',
 'type': 'Cyber Espionage',
 'vulnerability_exploited': ['Vulnerable internet routers',
                             'Unpatched edge devices',
                             'Weak access controls']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.